Abstract

Distributed Denial-of-Service (DDoS) attacks continue
to trouble network operators and service providers, and
with increasing intensity. Effective response to DDoS can be slow
(because of manual diagnosis and interaction) and potentially
self-defeating (as indiscriminate filtering accomplishes a likely
goal of the attacker), and this is the result of the discrepancy
between the service provider’s flow-based, application-level view
of traffic and the network operator’s packet-based, network-level
view and limited functionality. Furthermore, a network required
to take action may be in an Autonomous System (AS) several AShops
away from the service, so it has no direct relationship with
the service on whose behalf it acts. This paper presents Antidose,
a means of interaction between a vulnerable peripheral service
and an indirectly related AS that allows the AS to confidently
deploy local filtering with discrimination under the control of
the remote service. We implement the core filtering mechanism
of Antidose, and provide an analysis of it to demonstrate that
conscious attacks against the mechanism will not expose the AS
to additional attacks. We present a performance evaluation to
show that the mechanism is operationally feasible in the emerging
trend of operators’ willingness to increase the programmability
of their hardware with SDN technologies such as OpenFlow, as
well as to act to mitigate attacks on downstream customers.